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Abstract 

Bit commitment involves the submission of evidence from one party to another so 
that the evidence can be used to confirm a later revealed bit value by the first party, 
while the second party cannot determine the bit value from the evidence alone. It 
is widely believed that unconditionally secure quantum bit commitment is impossible 
due to quantum entanglement cheating, which is codified in a general impossibility 
theorem. In this paper, the scope of this general impossibility proof is extended and 
analyzed, and gaps are found. Three specific protocols are described for which the 
entanglement cheating as given in the impossibility proof fails to work. One of these 
protocols, QBC2, is proved to be unconditionally secure. 

PACS #: 03.67Dd, 03.65Bz 



NOTE 

(1) In this v7 of the paper, which is really version 3, the two previous versions are 
subsumed and complete proofs are given for all the claims. The "history" of some of the 
protocols discussed can be traced from the previous vl-v6 of this paper. 

(2) Many of the points made in this version were mentioned in my Capri talk in July 
2000. However, the paper prepared for that Proceedings volume, which is available at |quant-| 
|ph/0009113| , concentrates on anonymous-key cryptography with only passing remarks on bit 



commitment. 

(3) The reader interested only in an unconditionally secure quantum bit commitment 
protocol can go directly form section II to section VI. 
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I Introduction 



Quantum cryptography [|1|, the study of information security systems involving quantum 
effects, has recently been associated almost exclusively with the cryptographic objective of 
key distribution. This is due primarily to the nearly universal acceptance of the general 
impossibility of secure quantum bit commitment (QBC), taken to be a consequence of the 
Einstein-Podolsky-Rosen (EPR) type entanglement cheating which rules out QBC and other 
quantum protocols that have been proposed for various other cryptographic objectives 0. 
In a bit commitment scheme, one party, Adam, provides another party. Babe, with a piece 
of evidence that he has chosen a bit b (0 or 1) which is committed to her. Later, Adam 
would "open" the commitment: revealing the bit b to Babe and convincing her that it is 
indeed the committed bit with the evidence in her possession. The usual concrete example 
is for Adam to write down the bit on a piece of paper which is then locked in a safe to be 
given to Babe, while keeping for himself the safe key that can be presented later to open the 
commitment. The evidence should be binding, i.e., Adam should not be able to change it, 
and hence the bit, after it is given to Babe. It should also be concealing, i.e.. Babe should 
not be able to tell from it what the bit b is. Otherwise, either Adam or Babe would be able 
to cheat successfully. 

In standard cryptography, secure bit commitment is to be achieved either through a 
trusted third party or by invoking an unproved assumption on the complexity of certain 
computational problem. By utilizing quantum effects, various QBC schemes not involving a 
third party have been proposed that were supposed to be unconditionally secure, in the sense 
that neither Adam nor Babe can cheat with any significant probability of success as a matter 
of physical laws. In 1995-1996, a general proof on the impossibility of unconditionally secure 
QBC and the insecurity of previously proposed protocols were described Henceforth, 
it has been accepted that secure QBC and related objectives are impossible as a matter of 
principle 

There is basically just one impossibility proof, which gives the EPR attacks for the cases of 
equal and unequal density operators that Babe has for the two different bit values. The proof 
shows that if Babe's successful cheating probability is close to the value 1/2, which is 
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obtainable from pure guessing of the bit value, then Adam's successful cheating probability 
is close to the perfect value 1. This result is stronger than the mere impossibility of 
unconditional security, namely that it is impossible to have both Pj^ ~ 1/2 and P^ ~ 0. 
Since there is no known characterization of all possible QBC protocols, logically there can 
really be no general impossibility proof, strong or not, even if it were indeed impossible to 
have an unconditionally secure QBC protocol. This problem of scope of the impossibility 
proof can be seen from the following simple example. 

Suppose Adam commits a state |0) of a single qubit (two-dimensional quantum state 
space) for the bit value and \(f)') for 1. Adam opens by declaring the bit value, and Babe 
verifies by measuring the corresponding projection, or It is intuitively clear, 

but will be formalized as local state invariance in this paper, that Adam can launch no 
effective EPR cheat. Of course, it is true in this case that if P^ ~ 1/2 then ~ 1, 

so ~ 1 simply by declaring the bit value 1 even when |0) is committed. However, it is a 
priori possible for a protocol to have the property that ~ 1/2 while Adam cannot form 
any effective cheating entanglement as in this example but with P^ ~ 0. To have a general 
impossibility proof, one has to show that this property cannot be obtained in any QBC 
protocol or that any unconditionally secure QBC protocol would contradict some known 
principle. The mere absence of counterexamples does not constitute a proof. 

The general questions of scope of the impossibility proof will be addressed specifically 
in Section IV. Three QBC schemes not covered by the impossibility proof will be described 
in Sections V-VII, although only one of them, QBC2 in Section VI, is proved to be uncon- 
ditionally secure in this papper. The results are developed within nonrelativistic quantum 
mechanics, unrelated to relativistic protocols or cheat-sensitive protocols |jlO[ . The essen- 
tial point is that the flow of classical information between Adam and Babe in the protocol is 
crucial to the possible operations they can carry out, hence fundamentally affecting the se- 
curity level of the scheme. In the impossibility proof, it is basically assumed that both Adam 
and Babe possess full information at each stage of the protocol, an unwarranted assumption. 

In Section II the impossibility proof will be reviewed. Since the issues involved in quan- 
tum cryptography, or classical cryptography for that matter, are often subtle, it is the policy 
of this paper to give complete proofs for its claims. Thus, the gap between the quantitative 
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impossibility claim and the result available in the literature will be filled. An in-principle 
insecure protocol QBCO is also described that underhes QBCl and QBC3. In Section III, 
the impossibility proof in the original formulation is extended to cover the situation in 
which Babe applies a superoperator transformation to Adam's committed state before per- 
fect verification. Another insecure protocol QBCOl, related to QBCO, is described as an 
illustration. The reader who just wants to see an unconditionally secure QBC protocol can 
go directly from Section II to Section VI. Note that the results in this paper arc valid in 
infinite-dimensional spaces. Also, the same index symbols i,j, etc., may denote different 
quantities in different sections. 
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II The Impossibility Proof 

In this Section we review the standard formulation of the impossibihty proof and then recast 
it in a form more suitable for quantitative analysis and extension, and describe a protocol 
QBCO. The development of this section will be used in the rest of the paper. 

According to the impossibility proof, Adam would generate |$o) or |$i) depending on b 
= or 1, 

\^o) = EVp^h)\^^)^ (1) 

i 

\^i) = j:^mm) (2) 

i 

where the states and in are openly known, i E {1, • • • ,M}, {pi} and {p[} 

are known probabilities, while {|ej)} and {|e'j)} are two complete orthonormal sets in Ti.^. 
All Dirac kets are normalized in this paper. Adam sends Babe while keeping Ti^ to 
himself. He opens by measuring the basis {|ej)} or {|e^)} in T-C"^ according to his committed 
state |$o) or I'^'i); resulting in a specific or on Ti.'^, and telling Babe which i he 
has obtained. Babe verifies by measuring the corresponding projector and will obtain the 
value 1 (yes) with probability 1. Adam can, as was argued, switch between |$o) and I'I'i) by 
operation on T-f^ alone, and thus alter the evidence to suit his choice of b before opening the 
commitment. In the case = trA|$o)($o| = Pi = trA|$i)($i|, the switching operation is 
to be obtained by using the so-called "Schmidt decomposition [jlll," the expansion of |$o) 
and |$i) in terms of the eigenstates of Pq = pf with eigenvalues and the eigenstates 
|efc) and je'^) of pg and Pi, 



\^o) = J2y^k\ek)\<l>k), \^i) = J2y^k\ek)\(t>k) (3) 

k k 

By applying a unitary that brings {|efc)} to {|e';,)}, Adam can select between |$o) or |<I>i) 
any time before he opens the commitment but after he supposedly commits. When p^ and 
pf are not equal but close, it was shown that one may transform |$o) by an to a |$o) 
with |($i|$o)| as close to 1 as p^ is close to pf according to the fidelity F chosen, and thus 
the state |$o) would serve as the effective EPR cheat. 

In addition to the above quantitative relations, the gist of the impossibility proof is 
supposed to lie in its generality - that any QBC protocol could be fitted into its formulation, 
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as a consequence of various arguments advanced in 0-0. Among other reasons to be 
elaborated in Section IV, it appeared to the present author from his development of a new 
cryptographic tool, anonymous quantum key technique |T^, that the impossibility proof is 



not sufficiently general. First of all, there is no need for Adam to entangle anything in an 
honest protocol. When Adam picks b=0, he can just send Babe a state with probability 
Pi. When he picks b=l, he sends \(f)'j) with probability p'^. If the anonymous key technique 
is employed, and \(f)'j) are to be obtained from applying f/j or Ul from some fixed openly 
known set of unitary operators {Ui} and {U-} on Ti.^ by Adam to the states sent to him 
by Babe and known only to her. As a consequence, Adam would not be able to determine 
the cheating unitary transformation as in protocol QBCl, to be described in Section V 
after the impossibility proof is first analyzed generally. 

In a QBC protocol, the and {10^)} are chosen so that they are concealing as evi- 

dence, i.e. Babe cannot reliably distinguish them in optimum binary hypothesis testing ||13|| . 
(The role of quantum detection theory in QBC together with some new results used in this 
paper are elaborated in Appendix A). They would also be binding if Adam is honest and 
sends them as they are above, which he could not change after Babe receives them. Babe 
can always guess the bit with a probability of success = 1/2, while Adam should not 
be able to change a committed bit at all. However, it is meaningful and common to grant 
unconditional security when the best Babe can achieve is arbitrarily close to 1/2 and 
Adam's best probability of successfully changing a committed bit P^ is arbitrarily close to 
zero even when both parties have perfect technology and unlimited resources including un- 
limited computational power . To facilitate the quantitative analysis of these performance 
measures, the impossibility proof would first be reformulated. 

Before proceeding, note the following basic property of entanglement important in QBC. 
Theorem (Local State Invariance) : Let p"^^ be a state on T-C^^Ti.^ with marginal states = 
trBP^^,p^- The individual or combined effects of any state transformation and quantum 
measurement (averaged over the measurement results) on Ti.^ alone leaves p^ invariant. 

See Appendix B for a proof and a discussion of its role in the impossibility of superluminal 
communication via quantum entanglement. 

As a consequence of this theorem, Adam cannot cheat by changing the Pq ^ pf case to 
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the Pq = pf case whatever the p's are. In particular, a single pure state as in the example 
of Section I cannot be changed. 

The operation of unitary transformation with subsequent measurement of an orthonormal 
basis is equivalent to the mere measurement of another orthonormal basis {|ej)} on the 
system. Thus, the net cheating operation can be described by writing 

l*o) = E\/^|ei)l0i), (4) 

i 

\fpi\4>i) = ^fWA'^i) (5) 
j 

for a unitary matrix V defined by |ej) = X]j ^ijlcj), and then measuring |ej). For convenience, 
we may still in the rest of the paper refer to the cheating operation as a transformation 
described at the beginning of this Section. Local state invariance is a property complemen- 
tary to the fact that the obtainable by operation on l-L^ alone are some proper linear 
combinations of the from (5). The quantitative expression for can now be given. If 
Babe verifies the individual the Adam's successful cheating probability is 

Pt = Y.UQ>m?- (6) 

i 

In general, the optimal cheating probability Pf for Babe is given by the probability of 
correct decision for optimally discriminating between two density operators p^ and pf by 
any quantum measurement. From (A4) with po = 1/2, 

= ^(2 + l|Po'^-pf||i) (7) 



where || ■ ||i is the trace norm, ||r||i = trir^rYl'^ ^ for a trace-class operator r [|14|. In terms 
of a security parameter n that can be made arbitrarily large ,the statement of unconditional 
security (US) can be quantitatively expressed as 

(US) limPf = - and lim = 0. (8) 

Condition (US) is equivalent to the statement that for any e > 0, there exists an ng such 
that for all n > tiq, P^ ^ I < ^ < e, i.e. Pf — \ and P/ can both be made 
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arbitrarily small for sufficiently large n. The impossibility proof claims a lot more than the 
mere impossibility of (US), it asserts |^ the following statement (IP): 

(IP) limR^ = - ^ limP;^ = l. (9) 

n 2 n ^ ^ ' 

In the = pf case, the EPR cheat shows that = | implies = 1. Thus (IP) 
generalizes it to the assertion that the function P^{P^), obtained by varying n, is continuous 
from above at P^ = ^. Note the considerable difference between the truth of (IP) and the 
much weaker statement that (US) is impossible. In the middle ground that lim„ P^ = ^ 
implies just < lim^P^"^ < 1, the protocol would be concealing for Babe and cheat-sensitive 
for Adam. 

The key observation 0-0 in the proof of (IP) is the use of Uhlmann's theorem, that 
there exist purifications |$o) ^'^'^ of any given po aiid pi such that |($o|'^'i)P attains the 

2 

. The conclusion is drawn, 



maximum possible value given by F(po,Pi) = ^^y \/PoPi\/Po 
without supporting details, that if F(p^,pf) is close to 1, then so is P/. This conclusion 
can be related to (IP) via the bound [|l^ 



2[1- v/P(po,Pi)] < ||po-pi||i. (10) 

as follows. Let ||p^ — pf ||i < e, so that P(p^,pf) > (1 — |)^ from (pUj). From Uhlmann's 
theorem, choose |$o) a-nd of (l)-(2) to be the purifications that achieve the maximum 
P(p^,pf) so that |($o|'^'i)| > 1 — f • The cheating operation on |$o) is given by (5), and 
Adam's successful cheating probability is given by the following 
Lemma 1: For probabilities and complex numbers Aj 
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(11) 



(the sums can be over infinite sets). 

Proof: When A, are real, ([TT| ) follows from Jensen's inequality |16| and the concavity of the 
function x ^ x^. The complex case follows by expanding each Aj into real and imaginary 
parts. □ 



Since ($o|^i) = J2i \/PiPi{4'i\4''i) ^ it follows from (|TT]) with Aj = J Pi I Pi{4>i\4>'i) (no need to 



include the p[ = terms) and = p'^ that P^ > 1 — e whenever P^ < | + |- Thus, the 
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statement (IP) is proved. In particular, one has the convergence rate 

As an illustration, consider the following protocol, in which hashing via the parity func- 
tion is used to make Pq close to pf in a sequence generalization of the example in Section I. 
PROTOCOL QBCO: 

(i) Adam sends Babe a sequence of n qubits, each is either one of {\(f)), {(j)')}, such that 
an even number of \4>') corresponds to b = and an odd number to b = 1, with probability 
l/2"~^ for each sequence of either parity. 

(ii) Adam opens the commitment by revealing the sequence of n states. Babe verifies 
by measuring the corresponding projection on each qubit to see that the entire sequence is 
correct. 

To show that this scheme can be made concealing, note that — pf factorizes into 
products of individual qubit parts as follows. Let j = (ji, . . . , jn) £ {0, 1}", Pm — 
Pn = / e {1, . . . Let Aq = {j| ®tiJi = 0}, Ai = {j| eiL^ = 1} be the even 

and odd parity n-bit sets. Then 

1 " 

pf = <S> Pijn ^e{0,i} (13) 

^ jeAi 1=1 

and so 

1 " 

Po^-Pf = ^0(^/0 -Pu). (14) 
^ 1=1 

Thus, Babe's optimum quantum decision reduces to optimally deciding between 10) and 
for each qubit individually and then seeing whether there is an even or odd number of |0')'s. 
The optimum error probability Pe for each qubit is given in (A5), and the optimum error 
probability P^ of correct bit decision on the sequence is, from the even and odd binomial 
sums (cf. Appendix C), 

n^=^ + ^(l-2pe)". (15) 

Thus, P^ is close to | exponentially in n independently of | > Pe > 0. However, Adam 
can now cheat by forming entanglement as in (l)-(2), with P^ exponentially close to 1 in 
accordance with (IP). 
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An Extension of the Impossibility Proof 



In this Section, a protocol QBCOl will be described in which Babe introduces a lossy trans- 
formation on Adam's committed state while still being able to verify perfectly. While it 
may be argued that such transformation cannot succeed in obtaining a secure protocol on 
qualitative grounds, it may also be argued otherwise. Specifically, the coherence of the states 
(l)-(2) can be deliberately destroyed by Babe with such a CP map, reducing the entangled 
states to incoherent superpositions in her observation space. It turns out that if she does 
that, which she can emphatically do, the resulting condition on the number n of modes would 
not fit with the other requirements of the protocol. Indeed, the impossibility proof will be 
extended to cover all such possibilities of Babe introducing a CP-map transformation. 

The following protocol is closely related to QBCO. 

PROTOCOL QBCOl. 

(i) Adam sends Babe a sequence of n states \ai) G Tif, Ti^ = 0;7if , each \ai) being 
either one of two coherent states {\a), \<y')}, such that an even number of \a') corresponds 
to b = and an odd number to b = 1, with probability l/2"~^ for each sequence of either 
parity. 

(ii) Babe splits each state \ai) to \^ai) on Tif , r] < 1. 

(iii) Adam opens the commitment by revealing the sequence of n states. Babe verifies 
by measuring the corresponding projection on each \y/r]ai) to see that the entire sequence is 
correct. 

The cheating transformation on this protocol would produce from (5) a superposition of 
coherent states with large energy difference when |a — a'l >> 1. As explained in version 2 of 
this paper (v4-v6), such superpositions are supersensitive to loss |jl3-|T^, thus offering the 
possibility that a lossy transformation, which would not afect perfect verification on coherent 
states, would destroy the necessary entanglement for Adam to cheat successfully. However, 
in this multimode situation, in order to destroy the coherence one needs to have a loss of one 
photon per mode, not just one photon, and the protocol cannot be made secure. Indeed, this 
condition on the destruction of coherence is what makes fault-tolerant quantum computing 
in the presence of loss possible. 
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We now give the impossibility proof that defeats such a maneuver by Babe. Let JTb be 
any completely positve (CP) map (superoperator) on density operators introduced by Babe. 
Let be the measurement operator that perfectly verifies the b = 1 case given i, i.e. 
is the Hi operator part of a POM for the "1" or "not 1" decision in quantum hypothesis 
testing as described in Appendix A, with perfect verification corresponding to the condition 



tTxijBm{<i)[\ = i. 



(16) 



The then becomes 

P,^ = Y.P,tTXiJn\4^,){U (17) 

i 

The following lemma and all other results in this paper are valid in infinite-dimensional 
spaces. 



Lemma 2 [Ij]: For any bounded operator X and any trace-class operator r, 



ItrXrl < ||X||||r||i, 



(18) 



where || ■ || is the ordinary operator norm. 
Since \Xf]\ < 1, from ([T8|) we get 



(19) 



From the original = J2iPi\{<Pi\<P'i)\'^ > 1 — e for ||p^ — pf || < e proved in Section II, one 



obtains, by relating inner product and trace norm for pure states as in (A4)-(A5), 



< 4e. 



(20) 



The following theorem is actually valid for any positive trace-preserving map J^. 
Theorem | 20t| : 

||J(po-pi)||i<||po-pi||i. (21) 
From (20) and (21), E^P. \\Jb {\4>^){4>^\ " 10^) |[ < 4e and, using (O), 

Ep« \\jb - mm)\l < 2v^. (22) 
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Putting (22) into (19) yields > 1 — 2-y/e, completing the proof of (IP). It appears that 
the use of the trace norm cannot be avoided here, in contrast to the Jb = case, which is 
responsible for the weakening of the convergence rate from 1 — (^^^ to 1 — O (:^)- 

The perfect verification condition (16), preserved in protocol QBCOl, is not necessary for 
a secure QBC protocol. This point and the entanglement destruction strategy of protocol 
QBCOl will be exploited in protocol QBC3 of Section VII. These possibihties also suggest 
that it is now appropriate to examine the assumptions underlying the impossibility proof. 
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IV The Limited Scope of the Impossibihty Proof 

The generality of the scope of the impossibihty proof is analyzed in this section on general 
grounds. This is an important issue because unconditionally secure bit commitment is too 
useful to give up easily, and the available impossibility proof has many weaknesses that 
can be exploited for secure QBC protocols. At the very least, one may hope that hidden 
assumptions, perhaps practically valid, may be revealed. Indeed one such assumption is that 
the quantum and classical communications involved are over a perfect channel, which should 
be considered different from the assumption that the parties have perfect technology. This 
is a good assumption for some situations, but not others such as long-distance fiber-optic 
communications. Another example in which this assumption is not valid involves satellite- 
to-satellite optical communications where the receivers' fields of view have to be opened up, 
perhaps because the signals are deliberately spread, so that the sun's background contributes 
a significant amount of noise. In both of these cases, one can stretch the meaning of "perfect 
technology" to say that no unavoidable classical disturbance needs to be present - say, by 
throwing the sun to another galaxy. (And what about the cosmic background radiation?) 
But then the relevance of such results to reality is quite questionable. In this paper, a perfect 
channel is granted. Since it is widely believed that there is a complete impossibility proof in 
such a case, I would try to show otherwise independently of the protocols of the paper. 

The major problem is, of course, to decide whether the formulation given in is 
sufficiently broad to include all possible QBC protocols. Typically, one proves general im- 
possibility by showing that any concretely suggested possibihty would lead to a contradiction. 
The simplest example is that the possibility of superluminal communication via quantum 
entanglement would contradict local state invariance (cf. Appendix B). Another example 
would be the quantum no-clone theorem, where cloning contradicts unitarity on a sufficiently 



large Hilbert space ||21| as well as quantum detection theory (cf. Appendix A). In von Neu- 



mann's famous no-hidden- variable theorem 221, a contradiction is derived from what he 



considered to be the requirements for a hidden-variable theory. Perhaps more significant 
and illuminating is the impossibility proof of certain geometric constructions by straight- 
edge and compass developed in the first half of the nineteenth century, in which any such 
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construction is characterized by the membership of a certain number lying in a tower of 
quadratic extension fields . This example is significant because it is nontrivial to capture 
enough of the essence of any straightedge-and-compass construction to be able to produce 
a mathematical contradiction when the construction is impossible. Thus, for a general im- 
possibility proof of unconditionally secure QBC, one would expect that the general essence 
of any such protocol would be extracted to yield a contradiction. Clearly the impossibility 
proof does not do that, but rather relies on the claim that any possible QBC protocol can be 
reduced to its formulation. It is not a priori impossible to exhaustively describe and classify 
all operations of a certain kind, say, in quantum key distribution one typically character- 
izes all possible attacks Eve can launch. However, it is much more difficult to characterize 
all possible protocols than all possible attacks for any cryptographic objective because an 
arbitrary interactive flow of information between users is possible in a protocol. Indeed, 
no characterization of all protocols for a specific objective is known in standard (classical) 
cryptography. The scope problems of the impossibility proof are numbered as follows. 

(1) One justification for the all-encompassing nature of the formulation is that Adam is 
proceeding exactly as if he were honest, except right before opening, in carrying out his EPR 
cheat. This is not true because there is no need for him to entangle anything in an honest 
protocol. He can just pick a or and send it. 

(2) Because of this, it is not clear why Adam must be able to form the entanglement he 
needs for any possible protocol. 

(3) Furthermore, it is not clear why Adam must be able to determine the cheating 
transformation, even apart from complexity questions, for any possible protocol. Protocol 
QBCl of section V provides a direct challenge in this situation, while protocol QBC2 of 
Section VII can also be considered to pose this problem. 

(4) The formulation postpones any measurement to the end of the commitment phase 
and claims that it entails no loss of generality. But why wouldn't it affect the quantitative 
cheating probabilities? Protocol QBC2 provides an example in which the timing of the 
measurement has substantial consequence. 

(5) The density operators and pf for Babe are not necessarily the marginal states 
obtained from the states generated by Adam because of Babe's possible lack of information, 
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a situation that is built into the protocoL Thus, Adam's EPR cheat may not correspond to 
the Pq ~ pf case. An example is provided by QBC2. 

(6) It is clearly possible to avoid EPR cheats, as in the example described in Section I. 
While (IP) holds in this case, it holds not because of EPR cheats. The question is: why 
is it that an EPR- cheat-free protocol necessarily cannot satisfy (US)? Protocol QBC2 is an 
explicit example that (US) is possible in such a protocol. 

(7) It is not clear why perfect verification is necessary, the only performance measures 
here being the cheating probabilities. This freedom in a QBC protocol is exploited in QBC3. 

(8) It is not clear why Babe is necessarily unable to destroy Adam's entanglement by her 
action alone. Despite the failure of QBCOl of Section III, this possibility is manifested in 
protocol QBC3. 

The list could be continued. Note that the burden is on the impossibility proof to resolve 
these points in its favor with convincing arguments, which have not been provided. Indeed, 
all three protocols QBCl to QBC3, and even protocol QBCOl to a lesser extent, lie outside 
the framework of the impossibility proof, and no impossibility argument has been given for 
this kind of protocols. While there are various underlying reasons on the limited scope of 
the impossibility proof formulation, a major one is that the interactive flow of information 
between Adam and Babe may prevent cheating because of each party's lack of relevant 
information at any particular stage of the protocol. Such information flow is what makes 
the Yao model of two-party protocols p4| not sufficiently specific to characterize all QBC 



protocols, which he did not claim to have done. Furthermore, modification of the Yao model 
to have measurements at the end of the commitment phase, perhaps thought to be equivalent 



by the Lo-Popescu theorem [^, is not justified with the use of anonymous states because 
the state needs to be known to guarantee the validity of that theorem. The basic problem of 
a general impossibility proof lies in the characterization of the essence of any possible QBC 
protocol that makes it insecure. The information fiow problem that makes it so difficult to 
characterize all classical protocols surely carries over to the quantum domain. 

There are well-known and widely accepted claims in the literature |^-|^ that classical 
noisy channels would make unconditionally secure bit commitment possible. While I believe 



the specific protocols described in |^-|27| are not proved unconditionally secure, I also be- 
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lieve unconditionally secure ones can indeed be based on noisy channels, a subject to be 
discussed elsewhere. Such results are not considered to be contradictory to the QBC impos- 
sibility proof presumably for the following reasons. First, classical noise is often thought to 
be part of an imperfect channel, i.e. it does not have to be present in principle. Apart from 
the points made at the beginning of this section, such a viewpoint is not correct. The quan- 
tum noise in any given quantum signaling scheme for classical communication, the minimum 
amount of which is determined through the optimum quantum measurement via quantum 
detection theory, is in principle unavoidable and functions exactly like classical noise in the 
optimal quantum detector ||28|-|2^. As will be shown elsewhere, this crucial point opens 
up the possibility of developing unconditionally secure, practical, and efficient optical-speed 
cryptographic systems for all the standard cryptographic objectives via quantum states that 
are not superpositions of one another. Secondly, a truly classical noise system would not 
entail the possibility of quantum entanglement and EPR cheating. However, there are many 
ways to suppress EPR cheats, such as the example in Section I and the QBC2 in Section 
VI. While it is not easy to restore unconditional security with such suppression in a perfect 
channel, a noisy channel, even one created with quantum noise, would provide a powerful 
way for such restoration. Indeed, the development of such protocols will be the subject of a 
future treatment. 
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V 



Protocol QBCl 



In this Section we consider the use of anonymous states in a QBC protocol which is essentially 
the one in version 1 (vl-v3) of this paper. In this protocol QBCl, the bit value is encoded 
in the parity of a sequence as in QBCO of Section II, except that each individual state is 
obtained with Adam applying the openly known Uq or Ui to the states sent to him by 
Babe, corresponding to the or 1 bit position in the sequence. For example, \ip) could be any 
state on a fixed great circle of the Bloch-Poincare sphere of a qubit, with Uq = I and Ui being 
a rotation by a fixed angle on the great circle independently of the bit position, say with 
{ip\UlUo\ip) = A > 0. See Ref. [|12[ for further discussion of anonymous-key cryptography. 
Coherent-state implementation is also possible, as in QBCOl. 
PROTOCOL QBCl: 

(i) Babe sends Adam a sequence of n qubit states \ipi) G Hf, Ti^ = (S)i 'Hf , I E {1, . . . , n}, 
unknown to Adam. 

(ii) Adam commits via the parity of the sequence j = (ji, . . . , j„) G {0, 1}" by applying 
Ulj^ to for openly known Uiq and t/n, with {ipi\U'l^UiQ\ipi) = A > independently of /. 

(iii) Adam opens by revealing his j sequence. Babe checks every state Uij\^ipi). 

This scheme can be made concealing exactly as in QBCO, (14)-(15). As for its binding 
behavior, consider first the situation in which Adam can only entangle each qubit individu- 
ally. He cannot switch any committed ^/jolV'i) or t/nlV'i) to any other state due to local state 
invariance which applies to each of the states he sends separately for that state, expressing 
the obvious fact that there is no entanglement to a single state. If he were to entangle Uio\%pi) 
or Uii\il)i) to another state anyway, he would just present a mixed state for that qubit to 
Babe for that ji. In this case, a different criterion needs to be used as discussed below. If 
he sticks to committing first a correct state for the bit, the best cheating probability he can 
get it 



by generating any sequence of n — 1 states, picking the last one for the bit commitment, and 
declaring it to be otherwise when desired. From (15) and (23), one can make = 0(m~^) 
and P^ — 1/2 = 0(2^"*) with n = O(m^). Hence unconditional security is obtained for 



(23) 
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large m if (23) is indeed the overall best Adam can do. In addition to P/, one can use 
another criterion, P^, the average probability that Adam's committed evidence is accepted 
by Babe after he opens, which is always at least 1/2 similar to P^f with = (1 + P^^jl 
when (1) is used as an initial state |$o) by Adam. For a general |$o)) (6) can be simply 
generalized to give an expression for with optimization for P^ to be performed also over 
initial {0°)}, {pX\- In the present situation, since single-qubit entanglement by Adam would 
just lead to a mixed presented state from local state invariance, P^ is obtained by a fixed 
100) = 100^ ^j^j^ pA = (1 + A)/2. Thus, Pf - 1 = 0(2-'^) and P^ - \ = 0{m-^) are 
achieved for n = O(m^). 

Adam can, however, form the entanglement without knowing the \ipi)^s, by applying the 
unitary operator U on TC^ ® TC^, 

U = Y.\e^){e^\®U, (24) 

i 

with initial state \A) G Ti^ satisfying ^/p^ = {ei\A), as was indicated in version 1 of this 
paper. On the other hand, contrary to the claim in that version, Adam can also entangle 
qubit by qubit via, for each i = {ii, . . . ,in) in (25), 

Ui = (S) Uh, = (Ji ® . . . ® . . . {Uii, ® . . . ® /„). (25) 
I 

By applying (24)-(25), Adam can form the proper entangled state (1) or (2) without knowing 
the \ipi)^s. However, he cannot determine the cheating transformation f/^. In general such 
a cheating transformation for the Pq ^ pf case is determined by Uhlmann's theorem as 
follows [0. 

Let and be the eigenstates of and pf with eigenvalues Aj and pj. The Schmidt 
normal forms of the purifications |$o) and |$i) of p^ and pf are given by 

l'^'o) = E\/^l/^)l^^)' (26) 

i 
i 

for complete orthonormal sets and Wgi)^ on 7i^. Define the unitary operators Uq, \J\ 

and U2 by 

f/o|Ai) = |pi), (28) 
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t^i|A.) = |/.), (29) 
U2\Pi) = h). (30) 
Since one can always pick Ti."^ to be isomorphic to Ti.^ , one can identify them via the iso- 



morphism. Let U be the unitary operator for the polar decomposition of Jpoypf PT 



'pNpi 



U. (31) 



Then |($o|'^'i)|^ assumes its maximum value F(p^,pf) when 

UUjUoU^U^ = I (32) 

where T denotes the transpose operation. Thus, when p^, pf , and |ej) are given, \gi) = |e'j) 
of |$i) is determined from (30) via solving for U from (32), which required detailed explicit 
knowledge of p^ and pf . In terms of the notation for (13)-(14), the density operators are 

1 " 

pf = ^ E <S>Uinm{i^i\4. ^ e {0,1}, (33) 
^ jeAz 1=1 

which is unknown to Adam through the uncertainty. If Adam picks a cheating trans- 
formation for a particular lipi) sequence, and then the sequence is randomly varied, it 
is easily seen that the resulting can be very small, as e.g. when the corresponding odd- 
parity state is actually of even parity. However, it is not easy to develop an unconditional 
security proof because Adam has many other possible actions, including committing states 
which are not exactly correct for the bit value as mentioned above. Nevertheless, the pro- 
tocol clearly shows in a simple way that the impossibility proof fails to work as intended. 
Note that this anonymous-key strategy also works in the case Pq = pf if Pq is not highly 
degenerate, e.g., not proportional to the identity such that its eigenstates cannot be 
readily determined as in the case of (33). Indeed, for n = oo the Pq and pf from (33) are 
equal and not proportional to I^. Note that the strategy of this protocol, namely the use of 
anonymous states, is applicable to any QBC protocol, and will be employed next for protocol 
QBC2. 
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VI Protocol QBC2 

In this section, protocol QBC2 is developed with a complete unconditional security proof by 
exploting the following point: the states and pf that enter into (7) are not necessarily 
the marginal states obtained from (l)-(2) due to Babe's lack of information built into a QBC 
protocol. This situation is actually easy to obtain, but then Adam can usually cheat success- 
fully with this information. The anonymous-key technique can be utilized to prevent both 
Adam and Babe from cheating to yield an unconditionally secure protocol to be explained 
in successive steps as follows. 

In anonymous-key encryption [0, Babe transmits to Adam a state only known to 



herself. Adam sends a bit b back to Babe via modulating by openly known unitary 
operators Ub- For the present purpose, the following would suffice - \ip) G 5*0 is one of the 
four possible BB84 states of a qubit, Sq = {\ t), | — | /^), | \)}, (e.g. the vertically, 
horitzontally, and diagonally polarized states). Adam sends back Uh\ip) with Uq = and 
Ui being a clockwise rotation by 7r/2 on the polarization circle, so that Babe can always tell 
the bit from the state. Let her send Adam a set S of the above four different states on four 
qubits in a random order known only to herself, with each state named by its order. Thus, 
S = {|Ai)i, |A2)2, 1^3)3, |A4)4} where the subscript j on | )j denotes the name of the state 
and {Xj} is a random permutation of the set Sq = {],^, Adam picks randomly one 

of these four named states in S, keeping the name to himself, modulates it and sends it to 
Babe as the commitment. For example, he chooses |A2)2 with subscript 2 on | )2 known to 
him, rotates A2 unknown to him clockwise by 7r/2 for b = 1, and sends it back to Babe who 
does not know the state name "2" yet. He opens by revealing the state name and the bit 
value. Without knowing the state name, it is easy to check that Po = pf = 1^/2 for Babe. 
When she learns the state name from Adam's opening, she knows the corresponding state 
for each bit value and can verify by measuring the corresponding projection. The actual 
permutation of the So-states in S has to be hidden from Adam because if he knows, he can 
cheat by committing any state in S and announcing it to be another appropriate state from 
S. 

Consider first Adam's possibility of cheating. When he picks a specific named state |Aj)j, 
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he cannot apply the EPR cheat as a consequence of local state invariance or the fact that 
there is no entanglement for a singla state. He can announce a different name of the state 
from the one he actually sent, with a probability of successfully reversing b (i.e. getting 
it accepted by Babe in her verification) given by 3/4.. He can use his own state instead 
of the one sent by Babe; the best way to do that is by trying to determine which name 
corresponds to which state in S by optimally processing the set S from M-ary quantum 
detection theory (cf. Appendix A). In each case he attains a probability of success bounded 
away from zero. Let pa be his maximum probability of success, which is determined by the 
optimal M-ary quantum detector because his openings amount to a decision making that 
consists in matching each Xj with an element of <So. The exact value of pa is not relevant 
for the security proof of our final protocol. The only relevant point here is that pa is a fixed 
number less than one. Hence, in an independent m-sequence, his probability of successful 
cheating, = p^, goes to zero exponentially in m. 

To show that < 1, assume that Adam can cheat perfectly with pa — 1. This im- 
plies that he can determine Xj for each \Xj)j from the set S with certainty without knowing 
the random permutation. However, the different possible permutations yield nonorthogonal 
(mixed) states on the different qubit sets. By Theorem A2 in Appendix A, = 1 is impos- 
sible. Indeed, the optimum pA is a fixed number bounded away from zero, not arbitrarily 
small in a parameter n that grows with the number of such randomly permuted four-state 
sets. 

It is possible for Adam to consider EPR cheats by permuting the contents of the states to 
be used later with a single qubit while keeping track of the state name. In this way, he can 
form the entanglement (l)-(2), but he cannot transform one into the other without knowing 
the specific permutation of the in the set S presented to him. And, of course, if he knows 
the permutation, he can cheat by proper announcement without the need for entanglement. 
Note also that if he can entangle and transform without knowing the actual permutation, 
local state invariance would be violated by permuting the states back to the given order. 
Indeed, this and all other possible attacks by Adam are accounted for in the above argument 
that Pa < i holds in any of Adam's possible cheating schemes as a consequence of optimum 
quantum detection theory. 
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The only way that Babe can cheat is to send Adam a different set S' of states, e.g. 
the same polarization state on the polarization circle for all four qubits, which would yield 

= 1. This is to be prevented statistically via testing by having Babe send Adam a total 
number of n sets of S'-states, all named by their order. Consider first the case in which 
Adam only commits a single qubit, and Babe sends a total of An states \Xji), j G {1, . . . , n}, 
/ e {1, . . . , 4}. If Babe is honest, then, for each j, {| Aj;)} is a random permutation of 5*0. To 
prevent Babe from cheating, Adam would randomly set aside one set jo and ask Babe for the 
state identities in the other n— 1 sets. After Babe reveals the state identities from their names 
provided by Adam, he can verify that Babe indeed sent him sets of proper states and proceed 
to pick one from the jo set to commit his bit. If Babe sends a set S' — |2), |3), |4)}, 
which is not a random permutation of 5*0, then there is a probability pi that it will pass 
Adam's testing verification, 

p, = \{l\ T)^■|(2|-)M(3|/)M(4|\)|^ (34) 

and a corresponding optimum probability p2 that Babe can determine the bit knowing the 
qubit is from S'. The value of p2 is determined by the optimum binary quantum detector. 
For example, if Babe sends all states at the angle n/8 from |, pi = cos^ | cos^ | cos^ ^ sin^ | 
and p2 — 1- As far as the existence of an unconditionally secure protocol is concerned, the 
only thing we need to know is that pi — 1 implies P2 — ^ from (34). It is clear that any 
entanglement used by Babe on the state she sent would not help her cheat, because Adam is 
doing everything on the individual qubit level determined by the individual marginal qubit 
states. Indeed, Babe's entanglement would only make p2 smaller. For Babe to get away 
from |, she needs to send state sets with P2 — ^ + ^ where e is bounded away from zero, i.e. 
not arbitrarily small as a function of n, and send enough of them so that the chance that one 
of them is picked as jo by Adam is also not arbitrarily small for large n. In such a situation 
where Adam retains one of Babe's cheating state sets which constitute a nonzero fraction 
7 of the total number n, the probability that Babe's cheating would not be found out is 
assuming Adam indeed sets aside one of the cheating state sets, which goes to zero 
exponentially. This argument is essentially correct and will be presented rigorously in the 
more general situation of the protocol in the following. Here we tried to indicate the simple 
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intuitive picture of the situation, and the fact that our scheme so far aheady contradicts 
the (IP) statement, ahhough it falls short of the (US) statement. It should be evident that 
regardless of whether (US) can be obtained in this kind of schemes, the are not covered by 
the formulation of the impossibility proof. 

Were Babe found to be cheating, the protocol would of course abort, which is equivalent to 
one party aborting in the middle of any protocol, something each party can always choose to 
do. Thus, our scheme is no different in this respect from any other cryptographic protocol and 
is essentially different from the cheat-sensitive QBC protocols [|10] in that it has nothing to 
do with detecting possible cheating by Adam and Babe after Adam commits as prescribed in 
the definition of cheat-sensitive protocols. Indeed, Adam can discover the cheating before he 
commits the bit. Even though he could postpone the cheating detection measurement in our 
protocol, such a move would have betrayed his bit to Babe, cf. point (4) in Section IV. More 



significantly, the cheating probabilities were not quantified precisely in Ref. [10] - presumably 
if the successful cheating probability is bounded away from zero, then so is the cheat-detection 
probability. In the present case, arbitrarily small successful cheating probabilities can be 
obtained in the next protocol, the parameters n, m of which are determined as shown in the 
following security proof. 
PROTOCOL QBC2: 

(i) Babe sends Adam n sets of qubit states, each set a random permutation of the four 
BB84 states on four different qubits, in a random order only known to herself. The states 
are named by their order in the sequence. 

(ii) Adam randomly puts m sets of such states aside and asks Babe to identify the rest 
of the states from their names. After checking that the states are correct, he commits the 
bit by picking one state randomly out of each of the m sets, modulates them by the same 
Uhi and sends them to Babe. 

(iii) Adam opens by revealing the names of the states he sent and the bit value. Babe 
verifies by measuring the corresponding projections. 

It should be clear that no entanglement cheating would be effective in this protocol: as 
discussed above, entanglement cheating by Adam or Babe serves no purpose as the qubits are 
processed individually. For each bit value Adam commits, there is only one product marginal 
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state for Babe and thus no cheating transformation for Adam. If Adam entangles anyway, he 
would merely send back mixed marginal states to Babe as she verifies on individual qubits. 
If he does not commit a correct state as discussed after (23) in Section V, it merely changes 
Pa, the optimum value of which is not 1 as shown above. If Babe entangles anyway, she 
would just get back mixed states for herself. Consequence of such a situation, however, is 
also covered in the following. Similarly, introducing any classical correlation would serve no 
purpose. The protocol is binding because Adam's = — for large m. It is concealing 
basically for the same reason as the single-qubit case, a systematic proof given as follows. 

Let be the number of state sets Babe sends to Adam with probabilities pi of passing 
Adam's detection, pi < 1 with corresponding p2> \. Consider first the case in which these 
probabilities are uniform among the sets so that Babe can have the best possible p2 given 
Pi among the m different committed qubits. The other n — N sets have pi = 1 and P2 = \- 
The probability that k of these A^ sets fall into the m choices by Adam is given by the 
hypergeometric distribution. 



The probability that none of these A^ sets fall into the chosen m group is PQ{N,n,m), a 
decreasing function of A^ and an increasing function of n. Let m be the smallest integer that 



A^ would have to be so large that the probability P^ that Babe's cheating sets are undetected 
becomes too small. Recall that is the optimal probability Babe succeeds in identifying 
the bit from measurements on m committed qubits. It will be shown that the condition 



would imply Pu < e by proper choice of n, thus ensuring unconditional security. Since Babe 
must have at least one of the A^ sets picked up by Adam among his m sets in order to satisfy 




(35) 



yields P^ = p^ < e for given e > 0. The idea is that A^ must be large enough that at least 
one of the A^ sets needs to fall into the m group to get Pj^ > |, but then by making n large. 



P^ > - + e 
" - 2 



(36) 



< 2^o + (l-Po)P(P2,m)<l 







(37) 



2 
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By equating the upper and lower bounds p6| ) and ( |37D on , N must satisfy 

iV>/(e,n,m(e,pA)) (38) 
where / is defined through PQ{N,n,m) and is an increasing function of n. For any N,n, 



Po{N,n,m) 



n — m 
N 

TV) 



can be made arbitrarily small with n large. Thus, can be forced to be arbitrarily small 



from (|38D with n sufficiently large. If there is an a priori maximum pi among the qubits 
in the sets, which is proved in the following, one would have P„ < Pi~"^- So n can be 
chosen to make large enough from (|38D to yield pi~^ = e. As a consequence, P^ < t and 
Pc ^ ^) proving (US). 

To put an a priori limit on pi independent of n and less than one, consider first the 
case where all qubits in the A^ sets have the same underlying S' so that Babe knows what 
measurement to make on each. Let P{S', m) be the optimum probability that Babe succeeds 
in identifying b from measurements on the m qubit sets. Thus, P{S', m) is a continuous 
function of the S' that gives rise to the p2 as it is a trace norm of the states from (A4). (All 
norm topologies are equivalent in finite-dimensional spaces). In order for (|36D to be satisfied, 
one must have 

PiS',m)>^ + e (39) 

for some e > 0. The maximum pi that Babe can have is determined among all the qubit 
sets S' that satisfy (p^) and 1 > P{S',m). The maximum pi = maxs" pi{S") exists for 
the following reason. Thus the set of S' obeying (^^ and P{S', m) < 1 is closed and thus 
compact. The function pi{S') of (34) is continuous. The existence of pi thus follows from 
the Weierstrass theorem. That is, a maximum pi is achieved by some S'q in the constraint 
set and so < 1. Now suppose Babe has formed entanglements among the sets she sends 
to Adam. The A^ sets are defined according to whether each marginal state, as checked and 
modulated by Adam, would have pji = 1, j G {1, . . . , n}. Thus, instead of P{S', m) one has 
P(S', m) that includes optimization over all possible entangled states S', which provides an 
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upper bound to and is still given through the trace norm (A4). Let pi — maxg^. 
for all marginal 5"^- obtained from S' that satisfy 1 > P{S',m) > | + e. All Sj in the A^-set 
lead to Pj2 < I by definition of the A^-set. Thus, the existence of pi < 1 follows as in the 
uniform Sj case. We have now exhausted all possible actions by Adam and Babe. 

In order to execute this protocol in accordance with the above proof in choosing m and 
n, one needs to know pa and pi. These appear to be difficult to obtain analytically, and 
numerical solutions would need to be used in an actual implementation. In such a situation, 
the above technicality on the existence of pi < 1 would not occur. While it is easily shown 
that no four large-energy coherent states can approximate the behavior of the four BB84 
states in Sq, it may still be possible to develop large-energy coherent-state implementation 
of this protocol because not all properties of the BB84 states are needed. 
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VII 



Protocol QBC3 



The points (7)- (8) in Section IV are now exploited to create a protocol that defeats Adam's 
EPR cheat. Consider the following addition to protocol QBCO in Section II: after Adam 
commits, Babe picks randomly out of the n qubits and measures randomly on each either 
10) (01 or but does not tell Adam which qubits she picked and what measurement 

results she obtained. When Adam opens, she would verify among the N qubits those that 
match Adam's announcement and the rest n — N qubits, and take those that don't match 
Adam's announcement as correct. Thus, she does not have a perfect verification, but Adam 
cannot cheat successfully by changing one bit position in his announcement when N/n is 
small. On the other hand, this action by Babe effectively destroys the entanglement that 
Adam may have formed for the EPR cheat, as shown below. Babe needs to keep secret which 
N qubits she made measurements upon, or else Adam can alter his basis |ej) to entangle 
properly to the other n — N qubits. Condition on the parameters will be given. 
PROTOCOL QBC3 

(i) Adam sends Babe a sequence of n qubits, each in either one of and commits 
b via the parity of the sequence with uniform probability. 

(ii) Babe randomly picks N out of n qubits, randomly measures either or 
on each, and keeps the results secret from Adam. 

(iii) After Adam reveals the sequence commitment. Babe verifies those states that match 
among the N measured qubits and the n — N unmeasured ones. 

The protocol can be made conceahng as in QBCO and QBCl, but Adam can now cheat 
in more ways. Similar to QBCl, he can pick one qubit and announce it otherwise, which 
now has a higher probability of success because of Babe's measurements. From the union 
bound on the probability of two possible events. 



Pc<\{m?+ 



N 



(40) 



n 



Thus one may pick 



\m')?^0{m-^) 



(41) 
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similar to (23) and also 

N/n = O(m-i), (42) 

so that = 0{m~^). Adam can, in view of Babe's possible measurements, entangle as 
small a number of qubits as possible. If he wants an entanglement cheating probability of 

P^^ = 1 -O(m-i), (43) 

he would need to entangle n' = 0(m log m), so that the resulting P^ = | + 0{m^^) would 
guarantee (|i3| ) through (12). Thus, to maintain just this order of P^, n should be reduced 
io n = 0(m log m) compared to QBCl, and so = O(logm) from (43). 

If Adam just cheats as if Babe has made no measurement, a direct computation shows 
that, for pi=p[ = 1/M, 

|«|$i)P = 2-^ (44) 

where is the cheating entangled state from |$o) after Babe made her A^ qubit measure- 
ments as follows. The state |$q) can be written, from (5), 

l*^o) = 'y^E E ^jvi]v+i---«n-ijkj)l0i]v«jv+i-..in-i) (45) 

j «JV + l---«n-l 

where i^r are the fixed indices corresponding to Babe's measurements results and A/" is a 
normalization constant determined to be A/" = 2^. Then (44) follows from (45) and the 
unitarity of Vij. However, this does not yet constitute an unconditional security proof for 
the following reasons. Adam does not have to apply the cheating transformation as if Babe 
has made no measurements. It remains to be demonstrated that his optimal cheating trans- 
formation, particularly in the case he does not generate an exactly correct initial state for 
the bit value as discussed after Eq. (23), would lead to an arbitrarily small P^. Furthermore, 
Adam may aim lower than P^ = 1 — 0(m~^) by optimizing differently, just to defeat (US). 

I believe QBC3 is in fact unconditionally secure, as I believe QBCl is, and a new for- 
mulation of the QBC problem is being developed to facilitate further analysis of the P^ 
behavior in QBC protocols with possible entanglement attacks. Such general treatment is 
important because the strategy of this protocol is applicable to all QBC protocols in which 
the bit value is obtained from a correlated function of the individual bit positions, and the 
strategy of QBCl, namely the use of anonymous states, is applicable to any QBC protocol. 
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VIII Conclusion 



I hope this paper leaves no doubt that not only is there no general impossibility proof for 
unconditionally secure quantum bit commitment, but that, in fact, an unconditionally secure 
QBC protocol has actually been provided. The intuitive reasons and a complete proof that 
QBC2 satisfies (US) have been described in Section VI. The protocols QBCl and QBC3, 
while not proved to be unconditionally secure in this paper, already demonstrate the failure 
of the impossibility proof given in the literature. Additional gaps of the impossibility proof 
are indicated in Section IV and can be exploited for further secure QBC schemes. 

Some comments on the practicality of our protocols are in order. Protocols QBCO, 
QBCl, and QBC3 can be readily implemented with large-energy coherent states. However, 
there is a sensitivity problem that results from ~ 0, which obscures the difference 

in practice between the two cases of detection for verification versus cheating corresponding 
to the cases when the state is known or unknown. An investigation into sensitive detection 
schemes would be timely. Also, it is expected that this and other practical difficulties can 
be alleviated by the use of error-correcting codes or hash functions more complicated than 
parity. Perhaps a large-energy coherent-state scheme similar to QBC2 can also be developed. 
Another promising avenue is the utilization of the irreducible quantum noise in quantum 
signal detection schemes to achieve unconditionally secure bit commitment. The loss in 
fiber-optic communications, especially for the established Internet backbone, can also be 
used to generate irreducible quantum noise. The resulting protocols, together with similarly 
possible quantum key distribution and encryption schemes, may open the exciting possibility 
of optical-speed unconditionally secure cryptography for widespread applications. 
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Appendix A 

Quantum Detection Theory 



Quantum detection theory |TB|, is concerned with the determination of the optimum 
quantum measurement and the resuhing optimum performance for discriminating a finite 
number M of alternative hypotheses according to a given performance criterion hnear in 
the density operators pj, j G {!,..., M}, describing the quantum states of the different 
alternatives. It has not been used in the previous quantum cryptography literature other 



than my papers ||T2[, |@, although it actually has a crucial role, especially in QBC. 

Thus, Babe's optimum probability of cheating is given by the optimum binary quantum 
detector for Pq and pf . 

In binary quantum hypothesis testing with a priori probabilities po and pi = 1 — po, 
the decision is made on the basis of measuring a POM (positive operator-valued measure) 
described by IIq and Hi = / — IIq, IIq > (an operator inequality A> B means that A — B 
is positive semidefinite) . The hypothesis i is chosen correctly from the measurement result 
with probability trlljpj, so that the total probability of correct decison is given by 

Pc2 = PotrUopo + pitrllipi. (Al) 

In M-ary hypothesis testing, (Al) generalizes to 

M 

PcM = T.Pi^^^^P^ (A2) 

1=1 

where the {Ilj} form the M-outcome POM 

M 

^n, = /, n, >o. (A3) 

i=l 

An operator r is called trace-class if its trace norm ||r||i = try/ tW is defined (finite); thus 
all operators on finite-dimensional spaces are trace-class. Density operators are trace-class. 
The optimum Pc2 among all POM's can be written as follows. 
Lemma Al: 

1 1 

Pc2 = ^ + ^\\poPo-PiPi\\i- (A4) 
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Proof. Write poPo — PiPi = o"+ — o"-) the positive and negative eigenvalue parts, so that 



boPo - PiPil = \/(PoPo -PiPiy = 0-+ + o-_. From tr(poPo - PiPi) = Po - Pi, one has 
tr(T+ = trcr_ + ~ Pi- Now, from (Al), 



^C2 =Pi + ^max^trn(poPo - PiPi), 



while 



max trn(poPo -piPi) = max trna+ = tra+ = JUpoPo -piPi||i + J(Po -pi), 
o<ii<7 o<n<J,n(T_=o / z 

and (A4) follows. □ 

For two pure states, \ipo) and \ipi), (A4) reduces to 

^02 = ^ + ^^1-4^0^11(^01^1)12. (A5) 
The use of "information" e.g. as in Ref. 0], is not sufficient in QBC because it is not the 



relevant performance measure, and the optimum detectors for and mutual information 
are usually not the same. Indeed, generally in cryptography, the use of mutual information 
is often not sufficiently precise because it has only asymptotic significance in a noisy system, 
and at least Eve has no possibility of coding. Thus, the performance resulting from attacks by 
Eve or by cheating among users in QBC should be measured by their respective probabilities 
of success. In some cases, including many quantum key-distribution situations, the mutual 
information could be used to bound the successful eavesdropping probability. But even in 
those situations the resulting system design may be overly pessimistic when the mutual 
information criterion is employed. 

An important condition whose validity seems clear intuitively is that Pc2 = 1 in binary 
quantum detection if and only if the states satisfy poPi = 0, i.e. the ranges of po and pi are 
orthogonal subspaces of the state Hilbert space. The "if" part is immediate and the "only if" 
part, which follows from (A5) when po and pi are pure states, seems to be a consequence of the 
general no-clone theorem. Specifically, one would be able to clone two nonorthogonal states 
if one could discriminate between them perfectly. However, the unitarity argument used for 
no-cloning is not sufficient to include measurement transformations - at least many physicists 
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believe that a quantum measurement transformation with a specific reading is not describable 
by a unitary transformation on any larger Hilbert space. Nor is linearity sufficient. Thus, the 
impossibility of perfectly discriminating nonorthogonal pure states, expressed as poPi 7^ 
for general mixed states, is a separate property to be demonstrated, indeed even just for 
completing the no-clone argument. That such a property can be demonstrated from quantum 
detection theory, as done below, appears to me to be another manifestation of the "magical 
unity" or consistency of the quantum formalism. 

The proof of the following theorem generalizes a finite-dimensional proof for the case 
Ao = Ai = 1 first communicated to the author by Masanao Ozawa. 

Theorem Al: For positive constants Aq, Ai and density operators Po, Pi, the maximum value 
of ||AoPo ^ -^iPilli amoung all possible po)Pi occurs only when poPi = 0, with 

||AoPo - Aipilli = Ao + Al. (A6) 

Proof: In the finite-dimensional case, the polar decomposition of 

p' = Aopo - Aipi = f/|AoPo - Aipil (A7) 

always exists for a unitary U. In the infinite-dimensional case, U is only a partial isometry in 
general |3^. Since p' on 7i has an eigenvector decomposition as it is trace-class, U becomes 



an isometry when restricted to the space Hr C H, the range of p'. Thus, WU = Ifi^, and 
we can write 

|AoPo - Aipil = \^(AoPo - Aipi) (A8) 
where V = W , \\V\\ = 1. From (A8), 

IIp'IIi = trV(AoPo - Aipi) = tr^AoPo - tr^Aipi. (A9) 

Now, from (|18|) , for any trace-class operator A> and any V with = 1, the real part 

RetT{VA) < \tT{VA)\ < \\VA\\i < \\V\\\\A\\i = RetrA, 

leading to 

Reti{VA) <RetTA (AlO) 
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from which it follows that 

- Ao < RetrT/AoPo < Ao, -Ai < -trC/Aipi < Ai. (All) 
Prom (A9) and (All), we have 

maxllp'lli = Ao + Ai (A12) 

which occurs when 

Retry po = 1 and Retr^pi = -1. (A13) 
Let po have the spectral decomposition po = Y,n^n\4'n){4'n\- Then (A13) implies 

n 

Since < i^n < 1 and Vn = 1, if i^n 7^ we have Re(0n|^|0n) ~ 1 and hence T^l^n) = \4'n)- 
Let pi have the spectral decomposition pi = Z)m/^m|'^m)('^m|- Similarly, if 7^ 0, then 
yii^m) = — iV'm)- Since VV^ = lur, the eigenvectors of V with different eigenvalues are 
mutually orthogonal and hence 

PoPl = J2^rilJ'm\(l>n){(l>n\i>m){i>m\ = 0. (Al4) 
m,n 

□ 

Corollary AI: Pc2 = 1 if and only if popi = 0. 

I would like to emphasize that by itself, without the need for unitarity. Corollary Al 
already implies the no-clone theorem for arbitrary popi 7^ 0. This is because if one can 
clone, one can obtain an indefinitely large number of copies of the state, which would make 
it possible to determine the state arbitrarily accurately and hence contradicting the corol- 
lary. On the other hand, an argument using the physical interpretation of density operator 
as an ensemble would show, in conjunction with the pure-state result from (A5), that the 
eigenstates of po and pi must be mutually orthogonal to ensure Pc2 = 0, thus proving the 
corollary without Theorem Al. While this can be considered a new kind of mathematics, 
proving mathematical theorems from physical arguments, it is appropriate to separate phys- 
ical interpretation from what the mathematical formalism says by itself, if only to check 
whether they are compatible. 
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The above theorem can be generahzed to M-ary hypothesis testing. 
Theorem A 2: Pcm = 1 if and only if pipj = for all i j- 
Proof: If one pair is not orthogonal, say pip2 ^ 0, then 

M 

Pcm = pitrllipi + p2tTll2P2 + "^PitrUiPi < pitrllpi + p2tYll2P2 + 1 - pi - P2 

1=3 

since (A3) implies ||nj|| < 1 so that trlljpj < 1 from (18) and (A3). Because the maximum 
over Ho of the expression (Al) is given by (A4) for any positive Po,Pi, as can be seen from 
the proof of Lemma Al, it follows from Theorem Al that pitrllipi + p2trIl2P2 = 1 if and 
only if P1P2 — 0. Thus Pqm < 1- The contraposition of this conclusion is the nontrivial part 
of the theorem. □ 



36 



Appendix B 

Local State Invariance 



The local state invariance theorem is conceptually significant and has a simple proof. 
Theorem (Local State Invariance): Let p"^^ be a state on Ti.^ ® 'H^ with marginal states 
= trBP^^,p^- The individual or combined effects of any state transformation and quan- 
tum measurement (averaged over the measurement results) on Ti.^ alone leaves p^ invariant. 
Proof. It suffices to consider a pure state |$) G Ti.^<S)'H^ in Schmidt form |$) = J2k (^k\Gk) |0fc), 
(efe|efc/) = {(t>k\(t>k') = Skk' so that p^ = J2k \cik\^\(pk) {<Pk\- The most general operation on 
can be represented by extending to H"^ ® H^' with initial state \A') G H"^\ and apply- 
ing a unitary U and measuring a complete ortho normal basis {|^)(^|} on T-l^ 7i^' |P6|| . 
This results in p^ = J2^\n){n\U\<l>)\A'){A'\{<l>\W\n){n\ so that {(pklp^lM = = 
(0fc|p'^|0fc')- The same result obtains when either U or the measurement on {|^)(^|} is omit- 
ted. □ 

The Schmidt decomposition in the above proof only simplifies notation and is not essential. 
This theorem implies that superluminal communication via quantum entanglement is impos- 
sible, which would be obtained if and only if p^ is changed so that a binary communication 
channel of classical information with nonzero channel capacity is created. Observe that the 
averaging over measurement results in the theorem is a crucial condition for application to 
superluminal communication in which the specific measurement result on Ti"^ is unknown 
to the party with Ti.^ . While there are many proofs on the impossibility of entanglement 
induced superluminal communication in the literature, see, e.g., [^, none appears to be as 
complete and simple as the proof just given. In particular, the impossibility of cloning quan- 
tum states in some such proofs is not sufficient to establish the impossibility of superluminal 
communication. 
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Appendix C 

Even and Odd Binomial Sums 

The even and odd binomial sums used in obtaining (15) are derived as follows. Let be 

the odd sum 

m / \ 
rodd \ / 

where p < |, and let Qm be the even sum, Qm = 1 — Pm- Using the identity 

/m + lA_/m\ / m \ 
[ r ) ~ [ r ) ^ [r -1 ) ' 

the following difference equation for can be derived from (CI): 

Pm+l -Pm^ p{Qm " Pm) = p(l " 2Pj. (C2) 

Eq. (C2) with the initial condition Pi = p is solved to yield 

Pm^ 1-1(1 -2pr. (C3) 
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